Protection is defined as the plan-based creation of operation and countermeasures.

What is the definition of 'response'?

Response is defined as recovery according to plan.

How can good security be an enabler? [57]

Good security provides confidence in network reliability.

Also allows safe and effective implementation of progressive business tactics, such as inter-organizational system connectivity.

By having good security, firms are enabled to innovate their business practices without having to incur as significant material risk.

What is the key to being an enabler? [58]

Being involved early within the project.

Why is having a negative view of users bad? [59]

Users must not be seen as an enemy.

They are the first to see security problems.

They can give early warnings to the security staff.

Also, users need to be trained in security self defense so that they can protect their own assets from threats.

If “stupid” means “poorly trained,” this is the security department’s fault.

Why is viewing the security function as a police force or military organization a bad idea? [59]

Police and military organizations are often considered oppressive in enforcing their policies.

Creating a police-like security atmosphere relies upon fear of internal reprisal in enforcing policy, vice fostering a proactive partnership between employees and security personnel to protect the organization from the real bad guys that seek to harm everyone in the firm.

In developing an IT security plan, what should a company do first? [59]

Access its current level/state of security.

What are the major categories of driving forces that a company must consider for the future? [59-60]

Companies must consider:

- The threat environment

- Growth of compliance laws and regulations

- Changes in corporate structure

- Mergers

- Etc.

What should the company do for each resource? [60]

Classify them in terms of importance - not all are equal importance.

With limited budgets, they must be prioritised.

For what should a company develop remediation plans? [60]

All security gaps.

Every resource unless it is very well protected.

How should the IT security staff view its list of possible remediation plans as a portfolio? [60]

By viewing it as a portfolio, security staff can access which remediation plans should get funding and action first.